Information About
RADIUS

The Remote Access
Dial-In User Service (RADIUS) distributed client/server system allows you to
secure networks against unauthorized access. In the Cisco implementation,
RADIUS clients run on Cisco Nexus device and send authentication and accounting
requests to a central RADIUS server that contains all user authentication and
network service access information.

For example,
network devices from several vendors can use a single RADIUS server-based
security database.

Networks
already using RADIUS.

You can add a
Cisco Nexus device with RADIUS to the network. This action might be the first
step when you make a transition to an AAA server.

Networks that
require resource accounting.

You can use
RADIUS accounting independent of RADIUS authentication or authorization. The
RADIUS accounting functions allow data to be sent at the start and end of
services, indicating the amount of resources (such as time, packets, bytes, and
so on) used during the session. An Internet service provider (ISP) might use a
freeware-based version of the RADIUS access control and accounting software to
meet special security and billing needs.

Networks that
support authentication profiles.

Using the
RADIUS server in your network, you can configure AAA authentication and set up
per-user profiles. Per-user profiles enable the Cisco Nexus device to manage
ports using their existing RADIUS solutions and to efficiently manage shared
resources to offer different service-level agreements.

Information About
RADIUS Operations

When a user
attempts to log in and authenticate to a Cisco Nexus device using RADIUS, the
following process occurs:

The user is
prompted for and enters a username and password.

The username
and encrypted password are sent over the network to the RADIUS server.

The user
receives one of the following responses from the RADIUS server:

ACCEPT—The
user is authenticated.

REJECT—The
user is not authenticated and is prompted to reenter the username and password,
or access is denied.

CHALLENGE—A challenge is issued by the RADIUS server. The
challenge collects additional data from the user.

CHANGE
PASSWORD—A request is issued by the RADIUS server, asking the user to select a
new password.

The ACCEPT or
REJECT response is bundled with additional data that is used for EXEC or
network authorization. You must first complete RADIUS authentication before
using RADIUS authorization. The additional data included with the ACCEPT or
REJECT packets consists of the following:

Services that
the user can access, including Telnet, rlogin, or local-area transport (LAT)
connections, and Point-to-Point Protocol (PPP), Serial Line Internet Protocol
(SLIP), or EXEC services.

Connection
parameters, including the host or client IPv4 or IPv6 address, access list, and
user timeouts.

RADIUS Server
Monitoring

An unresponsive
RADIUS server can cause delay in processing of AAA requests. You can configure
the switch to periodically monitor a RADIUS server to check whether it is
responding (or alive) to save time in processing AAA requests. The switch marks
unresponsive RADIUS servers as dead and does not send AAA requests to any dead
RADIUS servers. The switch periodically monitors the dead RADIUS servers and
brings them to the alive state once they respond. This process verifies that a
RADIUS server is in a working state before real AAA requests are sent to the
server. Whenever a RADIUS server changes to the dead or alive state, a Simple
Network Management Protocol (SNMP) trap is generated and the switch displays an
error message that a failure is taking place.

The following
figure shows the different RADIUS server states:

Figure 1. RADIUS
Server States

Note

The monitoring
interval for alive servers and dead servers are different and can be configured
by the user. The RADIUS server monitoring is performed by sending a test
authentication request to the RADIUS server.

Vendor-Specific
Attributes

The Internet
Engineering Task Force (IETF) draft standard specifies a method for
communicating vendor-specific attributes (VSAs) between the network access
server and the RADIUS server. The IETF uses attribute 26. VSAs allow vendors to
support their own extended attributes that are not suitable for general use.
The Cisco RADIUS implementation supports one vendor-specific option using the
format recommended in the specification. The Cisco vendor ID is 9, and the
supported option is vendor type 1, which is named cisco-av-pair. The value is a
string with the following format:

protocol : attribute separator value *

The protocol is a
Cisco attribute for a particular type of authorization, the separator is an
equal sign (=) for mandatory attributes, and an asterisk (*) indicates optional
attributes.

When you use
RADIUS servers for authentication on a Cisco Nexus device, the RADIUS protocol
directs the RADIUS server to return user attributes, such as authorization
information, with authentication results. This authorization information is
specified through VSAs.

The following VSA
protocol options are supported by the Cisco Nexus device:

Shell— Used in
access-accept packets to provide user profile information.

Accounting—
Used in accounting-request packets. If a value contains any white spaces, you
should enclose the value within double quotation marks.

The Cisco Nexus
device supports the following attributes:

roles—Lists
all the roles to which the user belongs. The value field is a string that lists
the role names delimited by white spaces.

accountinginfo—Stores accounting information in addition to the
attributes covered by a standard RADIUS accounting protocol. This attribute is
sent only in the VSA portion of the Account-Request frames from the RADIUS
client on the switch. It can be used only with the accounting protocol data
units (PDUs).

Prerequisites for
RADIUS

RADIUS has the
following prerequisites:

You must
obtain IPv4 or
IPv6 addresses or hostnames for the RADIUS servers.

You must
obtain preshared keys from the RADIUS servers.

Ensure that
the Cisco Nexus device is configured as a RADIUS client of the AAA servers.

Configuring RADIUS
Server Hosts

You must configure
the IPv4 or
IPv6 address or the hostname for each RADIUS server that you want to use
for authentication. All RADIUS server hosts are added to the default RADIUS
server group. You can configure up to 64 RADIUS servers.

Configuring RADIUS
Server Groups

You can specify
one or more remote AAA servers for authentication using server groups. All
members of a group must belong to the RADIUS protocol. The servers are tried in
the same order in which you configure them.

Procedure

Command or Action

Purpose

Step 1

switch# configure terminal

Enters global configuration move.

Step 2

switch
(config)#
aaa group server
radiusgroup-name

Creates a
RADIUS server group and enters the RADIUS server group configuration submode
for that group.

The
group-name argument is a case-sensitive, alphanumeric string with a
maximum of 127 characters.

You can configure
a global retransmission retry count and timeout interval for all RADIUS
servers. By default, a switch retries transmission to a RADIUS server only once
before reverting to local authentication. You can increase this number up to a
maximum of five retries per server. The timeout interval determines how long
the Cisco Nexus device waits for responses from RADIUS servers before declaring
a timeout failure.

Procedure

Command or Action

Purpose

Step 1

switch# configure terminal

Enters global configuration move.

Step 2

switch(config)#
radius-server retransmitcount

Specifies the
retransmission count for all RADIUS servers. The default retransmission count
is 1 and the range is from 0 to 5.

Step 3

switch(config)#
radius-server timeoutseconds

Specifies the
transmission timeout interval for RADIUS servers. The default timeout interval
is 5 seconds and the range is from 1 to 60 seconds.

Step 4

switch(config)#
exit

Exits global
configuration mode.

Step 5

switch#
show
radius-server

(Optional)

Displays the
RADIUS server configuration.

Step 6

switch#
copy
running-config startup-config

(Optional)

Copies the
running configuration to the startup configuration.

This example shows
how to set the retry count to 3 and the transmission timeout interval to 5
seconds for RADIUS servers:

You can specify
that a RADIUS server is to be used only for accounting purposes or only for
authentication purposes. By default, RADIUS servers are used for both
accounting and authentication. You can also specify the destination UDP port
numbers where RADIUS accounting and authentication messages should be sent.

Configuring
Periodic RADIUS Server Monitoring

You can monitor
the availability of RADIUS servers. These parameters include the username and
password to use for the server and an idle timer. The idle timer specifies the
interval during which a RADIUS server receives no requests before the switch
sends out a test packet. You can configure this option to test servers
periodically.

Note

For security
reasons, we recommend that you do not configure a test username that is the
same as an existing user in the RADIUS database.

The test idle
timer specifies the interval during which a RADIUS server receives no requests
before the switch sends out a test packet.

The default idle
timer value is 0 minutes. When the idle time interval is 0 minutes, the switch
does not perform periodic RADIUS server monitoring.

Configuring the
Dead-Time Interval

You can configure
the dead-time interval for all RADIUS servers. The dead-time interval specifies
the time that the Cisco Nexus device waits after declaring a RADIUS server is
dead, before sending out a test packet to determine if the server is now alive.
The default value is 0 minutes.

Note

When the
dead-time interval is 0 minutes, RADIUS servers are not marked as dead even if
they are not responding. You can configure the dead-time interval for a RADIUS
server group. See
Configuring RADIUS Server Groups.

Procedure

Command or Action

Purpose

Step 1

switch# configure terminal

Enters global configuration move.

Step 2

switch(config)#
radius-server deadtime

Configures the
dead-time interval. The default value is 0 minutes. The range is from 1 to 1440
minutes.

Step 3

switch(config)#
exit

Exits
configuration mode.

Step 4

switch#
show
radius-server

(Optional)

Displays the
RADIUS server configuration.

Step 5

switch#
copy
running-config startup-config

(Optional)

Copies the
running configuration to the startup configuration.

This example shows
how to configure a deadtime of 5 minutes for a radius server: